The Promotion of Access to Information Act (PAIA) states that the head of a private body is the information officer, and they should compile a PAIA manual for the private body and update the manual regularly. According to PAIA each entity has an Information Officer (can delegate the task to someone else) and needs to compile a manual.
Many of our clients are subsidiaries within a group and they are often posed with the question of how many Information Officers and PAIA manuals does the group need to have. Should they have one Information Officer and one manual for the entire group? Or should they have one Information Officer and one manual for each entity within the group? As an example to use, lets say there is a holding company with four subsidiaries. Is it possible to have just one Information Officer and one manual? Divisions are easy. They are not separate entities, but part of the same entity. Therefore, one manual and one information officer.
The factors to take into account
In the context of a group, it is a complex question with pros and cons both ways. This is not a “one-size-fits-all” situation. You need to decide what best suits you. These are some factors that should be looked at to answer the question.
Many entities delegating the role of the Information Officer to one person might well reduce costs. But remember that each entity still has its own Information Officer, the role is just being delegated to someone else.
Clients are often worried that the cost of creating separate manuals for each entity will be higher than drafting one for all entities. However, a group can draft multiple manuals for each entity within the group that are essentially identical and just tweak them for each entity. For example, the cost and work involved in having one manual for five entities should be the same as having five manuals – one for each entity. The cost and work involved in drafting the manuals should be the same. Let’s analyse the two situations in more detail:
- One manual for five entities. Each entity needs to be named in the manual. The manual needs to address the common things between the entities, and any specific issues that relate to each of the entities.
- Five manuals, one for the each entity. One entity named in each manual. Addresses only things that relate to that entity.
These two situations are really the same thing.
Reducing the admin burden
Having one Information Officer might well reduce the admin burden. Having one person doing a task for many is often better than having many each doing the task.
It may seem like having one manual reduces the admin burden. Having five manuals for five entities does mean that if you update one, you might have to update the others too. Inconsistencies might creep in.
In terms of the Protection of Personal Information Act (POPI) the Information Officer must ensure that the entity complies with POPI. There are two risks to the responsible party if they do not protect personal information:
- Data subjects can sue for damages.
- If you are guilty of a criminal offence, the Information Regulator can fine or jail you.
Groups are usually structured with separate entities within them to minimise and separate risk among the different entities – compartmentalise the business. The first step in holding someone responsible in failing to protect information as required by POPI, is to work out who is going to be responsible (who is the responsible party?)
One of the factors the Regulator (or the court) will take into account in determining this, will be to look at the PAIA manual and who was delegated to be the Information Officer for the body. If there is only one manual and one officer for a group of companies, there is a strong argument to say that the entire group is responsible. It creates the impression of joint and several liability, and that the whole group is the responsible party (or all entities in the group are joint responsible parties). If there are separate PAIA manuals and Information Officers for each entity within the group, then on the other hand there is a stronger argument that the responsible party is just one of the entities within the group. By doing so, you keep your risk separate and don’t expose the entire group to the risk of data subjects suing one entity because that entity failed to protect their personal information. The separation of risk is often what the group is structured to achieve.
For example, if 20 000 data subjects (customers of a bank) each had a R5 000 claim against the Bank for failing to protect their personal information, if it is a claim just against one entity in the group, it is a better situation than having one claim against the group as a whole. This could prevent one claim from bringing down the entire group, as opposed to one claim just bringing down a single entity in the group, which has its advantages for the bank.
We think you can have one Information Officer for the whole group, but that person must always be clear about which entity they are representing. They wear five hats, and it must always be certain whose hat they wear.
We think it is better to have one PAIA manual for each entity within the group. The South African Human Rights Commission (SAHRC) agrees with this approach. They state that holding companies and each of their entities or subsidiaries must submit separate manuals.
The risk will be separated within the group, and it will be in the group’s advantage to have the claim against a specific entity, rather than the entire group. Mitigating this risk by keeping it separate outweighs any possible cost-saving or reduction in the admin burden. In any case having one or five manuals is really the same thing. You can still draft one all-encompassing manual, then create four copies and delete what is not relevant to the specific entity to which the manual relates.
However, remember that (from a marketing perspective) you might want all entities within a group to be joint responsible parties so that they can cross sell their products and services to the customers of the other subsidiaries.